Mobile Threat Blog

Share

Android’s Achilles Heel: OS Updates

The Federal Trade Commission and the Federal Communications Commission said they are collaborating on an investigation into security update practices of the leading carriers–an investigation clearly aimed at exposing the number of out of date and unpatched Android devices in operation.

In a letter sent to AT&T, Verizon, T-Mobile, Sprint, US Cellular, and Tracfone and others, the FTC and FCC said they are “seeking to compile data concerning policies, procedures, and practices for providing security updates to mobile devices offered by unnamed persons, partnerships, corporations, or others in the United States.” The letter asks for details regarding security update processes, how vulnerabilities are addressed, how they are communicated, and the frequency and timing of security updates.

It’s common knowledge that even if Google provides a patch, users may never see it:

“It’s a logistics nightmare. And as a result, most phones are lucky to receive any updates,” said Christopher Soghoian, the principal technologist at the American Civil Liberties Union’s Speech, Privacy, and Technology Project.

Christopher Soghoian should know. In 2013, he filed an FTC complaint over Android security, arguing that “the major wireless carriers have engaged in ‘unfair and deceptive business practices’ by failing to warn their customers about known, unpatched security flaws in the mobile devices sold by the companies.” That’s just something that iOS users don’t have to worry about.

“…one of the big disadvantages of Google’s approach is they don’t have a system for easy OS updates when vulnerabilities are discovered. As noted earlier, Android Marshmallow was released in October 2015 and over six months later has only been installed on 4.6% of Android devices. In contrast, just four months after being released, iOS 9 was installed on 75% of iOS devices.”

Google has made great strides in improving Android security in recent years. But if their latest and greatest software is only in the hands of 1 out of 20 users, they are leaving a lot of users–and the enterprises they work for–with serious vulnerabilities. That’s part of the reason we find that most of the mobile devices we encounter in enterprises are iOS, even though Android has the higher consumer market share by far.